Global Secrets
Taskurai allows you to securely store sensitive configuration values. Once secrets are defined at the global Taskurai instance level, secrets are available to deploy workers.
Secrets can also be referenced in container registry passwords.
Please note the following about global secrets:
- They are defined at the level of the Taskurai instance.
- They are available for use by all worker instances defined in the Taskurai instance.
- They can be set without storing the secret value in any configuration file.
- They can be set by an administrator or another responsible party.
Updating or deleting a secret does not automatically affect existing instances of workers. To update secret configuration, you need to redeploy the affected workers.
Prerequisites
- Taskurai installation (Taskurai instance, Taskurai CLI, etc.). See Taskurai Setup.
If you are not signed in to Azure yet, you will need to log in using your Azure credentials. You can use one of the following methods:
- Azure Tools extension for VS Code
- Azure CLI:
az login
- Azure PowerShell:
Connect-AzAccount
- If you are not logged in using any of the above methods, an interactive browser login will be used.
Managing Secrets using the CLI
Creating a Secret
To create a new secret, use the taskurai secret create
command:
taskurai secret create --name containerregistrypassword --value "XXX1..."
Updating a Secret
To update an existing secret, use the taskurai secret update
command:
taskurai secret update --name containerregistrypassword --value "XXX1..."
Showing a Secret
To view the properties of an existing secret, use the taskurai secret show
command:
taskurai secret show --name containerregistrypassword
Please note that the secret value will never be returned.
Listing Secrets
To list all global secrets, use the taskurai secret list
command:
taskurai secret list
Removing Secrets
To delete a secret, you can use the taskurai secret delete
command:
taskurai secret delete --name containerregistrypassword
Or you can select the secret(s) from the list using the delete command:
taskurai secret delete
Setting up your Solution File
For ease of deployment and documentation purposes, it is recommended to store the names of global secrets in the configuration file:
options:
...
secrets:
- containerregistrypassword
- myglobalsecret
workers:
...
The name of the secret must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.
Using Secrets in Worker Configuration
Global secrets can be used in:
- Worker secret configuration
- Worker container configuration
Refer to Worker Configuration for more information on how to use global secrets.
Integration in a Deployment Pipeline
If your global secrets are already available in your deployment pipeline (e.g., Azure DevOps Pipelines, GitHub Actions), the Taskurai setup can remain the same. First, define the names of your global variables in the solution YAML file:
options:
...
secrets:
- containerregistrypassword
- myglobalsecret
workers:
...
Next, call the taskurai worker deploy
command in the pipeline:
taskurai worker deploy \
--secret-overrides containerregistrypassword=mypassword \
--secret-overrides myglobalsecret=abc